You are previewing IT Governance, 6th Edition.
O'Reilly logo
IT Governance, 6th Edition

Book Description

IT Governance offers a full understanding of how best to deal with information security risks, including an overview of the very latest industry standards in key markets around the world.

Table of Contents

  1. CoverImage
  2. Title Page
  3. Contents
  4. Introduction
  5. 01    Why is information security necessary?
    1. The nature of information security threats
    2. Information insecurity
    3. Impacts of information security threats
    4. Cybercrime
    5. Cyberwar
    6. Advanced persistent threat
    7. Future risks
    8. Legislation
    9. Benefits of an information security management system
  6. 02    The UK Combined Code, the FRC Risk Guidance and Sarbanes–Oxley
    1. The Combined Code
    2. The Turnbull Report
    3. The Corporate Governance Code
    4. Sarbanes–Oxley
    5. Enterprise risk management
    6. Regulatory compliance
    7. IT governance
  7. 03    ISO27001
    1. Benefits of certification
    2. The history of ISO27001 and ISO27002
    3. The ISO/IEC 27000 series of standards
    4. Use of the standard
    5. ISO/IEC 27002
    6. Continual improvement, Plan–Do–Check–Act and process approach
    7. Structured approach to implementation
    8. Management system integration
    9. Documentation
    10. Continual improvement and metrics
  8. 04    Organizing information security
    1. Internal organization
    2. Management review
    3. The information security manager
    4. The cross-functional management forum
    5. The ISO27001 project group
    6. Specialist information security advice
    7. Segregation of duties
    8. Contact with special interest groups
    9. Contact with authorities
    10. Information security in project management
    11. Independent review of information security
    12. Summary
  9. 05    Information security policy and scope
    1. Context of the organization
    2. Information security policy
    3. A policy statement
    4. Costs and the monitoring of progress
  10. 06    The risk assessment and Statement of Applicability
    1. Establishing security requirements
    2. Risks, impacts and risk management
    3. Cyber Essentials
    4. Selection of controls and Statement of Applicability
    5. Statement of Applicability Example
    6. Gap analysis
    7. Risk assessment tools
    8. Risk treatment plan
    9. Measures of effectiveness
  11. 07    Mobile devices
    1. Mobile devices and teleworking
    2. Teleworking
  12. 08    Human resources security
    1. Job descriptions and competency requirements
    2. Screening
    3. Terms and conditions of employment
    4. During employment
    5. Disciplinary process
    6. Termination or change of employment
  13. 09    Asset management
    1. Asset owners
    2. Inventory
    3. Acceptable use of assets
    4. Information classification
    5. Unified classification markings
    6. Government classification markings
    7. Information lifecycle
    8. Information labelling and handling
    9. Non-disclosure agreements and trusted partners
  14. 10    Media handling
    1. Physical media in transit
  15. 11    Access control
    1. Hackers
    2. Hacker techniques
    3. System configuration
    4. Access control policy
    5. Network Access Control
  16. 12    User access management
    1. User access provisioning
  17. 13    System and application access control
    1. Secure log-on procedures
    2. Password management system
    3. Use of privileged utility programs
    4. Access control to program source code
  18. 14    Cryptography
    1. Encryption
    2. Public key infrastructure
    3. Digital signatures
    4. Non-repudiation services
    5. Key management
  19. 15    Physical and environmental security
    1. Secure areas
    2. Delivery and loading areas
  20. 16    Equipment security
    1. Equipment siting and protection
    2. Supporting utilities
    3. Cabling security
    4. Equipment maintenance
    5. Removal of assets
    6. Security of equipment and assets off-premises
    7. Secure disposal or reuse of equipment
    8. Clear desk and clear screen policy
  21. 17    Operations security
    1. Documented operating procedures
    2. Change management
    3. Separation of development, testing and operational environments
    4. Back-up
  22. 18    Controls against malicious software (malware)
    1. Viruses, worms, Trojans and rootkits
    2. Spyware
    3. Anti-malware software
    4. Hoax messages and Ransomware
    5. Phishing and pharming
    6. Anti-malware controls
    7. Airborne viruses
    8. Technical vulnerability management
    9. Information Systems Audits
  23. 19    Communications management
    1. Network security management
  24. 20    Exchanges of information
    1. Information transfer policies and procedures
    2. Agreements on information transfers
    3. E-mail and social media
    4. Security risks in e-mail
    5. Spam
    6. Misuse of the internet
    7. Internet acceptable use policy
    8. Social media
  25. 21    System acquisition, development and maintenance
    1. Security requirements analysis and specification
    2. Securing application services on public networks
    3. E-commerce issues
    4. Security technologies
    5. Server security
    6. Server virtualization
    7. Protecting application services transactions
  26. 22    Development and support processes
    1. Secure development policy
    2. Secure systems engineering principles
    3. Secure development environment
    4. Security and acceptance testing
  27. 23    Supplier relationships
    1. Information security policy for supplier relationships
    2. Addressing security within supplier agreements
    3. ICT supply chain
    4. Monitoring and review of supplier services
    5. Managing changes to supplier services
  28. 24    Monitoring and information security incident management
    1. Logging and monitoring
    2. Information security events and incidents
    3. Incident management – responsibilities and procedures
    4. Reporting information security events
    5. Reporting software malfunctions
    6. Assessment of and decision on information security events
    7. Response to information security incidents
    8. Legal admissibility
  29. 25    Business and information security continuity management
    1. ISO22301
    2. The business continuity management process
    3. Business continuity and risk assessment
    4. Developing and implementing continuity plans
    5. Business continuity planning framework
    6. Testing, maintaining and reassessing business continuity plans
    7. Information security continuity
  30. 26    Compliance
    1. Identification of applicable legislation
    2. Intellectual property rights
    3. Protection of organizational records
    4. Privacy and protection of personally identifiable information
    5. Regulation of cryptographic controls
    6. Compliance with security policies and standards
    7. Information systems audit considerations
  31. 27    The ISO27001 audit
    1. Selection of auditors
    2. Initial audit
    3. Preparation for audit
    4. Terminology
  32. Appendix 1: Useful websites
  33. Appendix 2: Further reading
  34. Index
  35. Copyright